EUR
en EN

Tag Archives: encryption

Jan 14

Today, more and more people begin to appreciate the need for integrated housing protection. Reliable door and window grating represents the first barrier. A security system that provides control over the environment and informs about events represents the second barrier. If an incident occurs, it needs to be responded to immediately and as effective as possible. Professional monitoring service is unchallenged in this field.

Demand breeds supply — the number of new security and service companies that ensure protection of a specific area of a city, residential compound or cottage estate is growing. They rely on new technologies, and efficiency, quality of service, and reliability represent the key success factors of their business. People are willing to pay for such security services.

Ajax fits perfectly into the new security business model — users love it and it has proven its reliability to professionals. Because of such advantages as quick installation, remote administration, simple service, and ultra-high reliability, more and more security companies choose Ajax as its standard equipment. The Ajax applications for smartphones and computers have already saved thousands of hours for installers and engineers.

Ajaxs’ aim is to offer a comprehensive solution to ensure the protection of a residential area — hundreds of private houses or thousands of apartments with professional monitoring and effective response around the clock. The updated Ajax PRO Desktop application is the right solution.

New features

Starting a monitoring service based on a standard console software requires careful preparation. A new company needs to set up equipment, adapt the application, and train its staff. However, these are not all the difficulties — every facility will have to be connected to the console manually, and this procedure cannot be automated in any way.

In October 2017, Ajax released a mobile application: Ajax PRO: Tool for Engineers, and half a year later, they released a version for computers — Ajax PRO Desktop. The programs are accompanying the Central Monitoring Station (CMS) simplifying the management of the Ajax security systems for installers and engineers.

Today, Ajax present the monitoring feature in Ajax PRO Desktop. The application allows the operator to process alarms arriving from up to 2500 facilities, configure security systems remotely, perform detector adjustment at the customers’ requests, and manage access rights. Facilities are connected automatically in just a few minutes and no additional settings are required, and there is nothing superfluous in Ajax PRO Desktop — a short briefing is enough to get started.

Ajax PRO Desktop is a free alternative to the Central Monitoring Station for security and service companies that ensure safety of residential compounds and cottage estates.

Implementation of monitoring
is a simple task

Having chosen the Ajax PRO Desktop as a monitoring solution, you do not need to spend time setting up the application and security systems as well as transfer information manually. You can just log into the administrator account, request access to the hubs, and specify the addresses of the facilities.

Thanks to the Ajax Cloud server, all Ajax applications contain up-to-date information about the security systems: composition of devices, settings, user rights, and events.

Connecting the security system featuring 5
detectors to the monitoring program

Central Monitoring Station (CMS) applicationAjax PRO Desktop featuring monitoring function
Connection procedure14 minutes 1. Set up monitoring at the central monitoring station.
2. Create a facility card at the CMS.
3. Describe the detectors.
3 minutes 1. Invite the PRO user.
2. Fill in the facility address and description.
Employees involved2 persons Engineer at the site and CMS operator.1 person Ajax PRO Desktop operator.
Error probabilityHigh The facility profile in the CMS is filled in manually.Excluded Data is synchronized between the Ajax applications.

What can Ajax PRO Desktop do?

Using the Ajax PRO Desktop application, a single operator of security or service company can manage up to 2500 Ajax security systems.

The monitoring functions are opened in a separate window and do not block other features of the Ajax PRO Desktop application. By monitoring security system events, you can change their settings, manage access rights, and view the statuses of the guarded facilities.

The event window is as informative as possible and provides filtration by types of alarms, malfunctions, general events, and security events. Each type of event is assigned a specific color, which simplifies navigation:

How does the system respond to alarms?

When a guarded facility is trespassed, caught on fire or is flooded, the operator receives an audible notification of an event in Ajax PRO Desktop. All the necessary information is available in the Alarm handling menu:

  • Where exactly the incident occurred.
  • What caused the alarm: entrance door opening detector and subsequent movement in the hallway detected trespass; smoke detected in the kitchen; alarm button is pressed in the application or on the keyfob; the user was forced to enter the code, etc.
  • The real-time update of the facility security system event history.
  • Who are the users of this security system and their contacts.

The operator sends an alarm to the rapid response teams by radio or other means adopted by the company. He/she reports on the nature of the event — this affects how exactly the security guards will act. If there is reason to believe that residents are in danger, it is crucial to get to the apartment (house) as fast as possible. In the event of a robbery, it makes sense to cordon off the building first and check for suspicious vehicles nearby. The best way to prevent flooding is to shut off the water supply to the floor or the building.

Having notified the rapid response team, the operator contacts the security system users and reports on the measures taken.

When the problem is resolved, the alarm is marked as processed in the Ajax PRO Desktop and is supplemented with comments of the operator and the security guards. Comments, together with the information about the time of alarm reading and processing stored in the event history, will be useful in the case of client’s complaints.

The Ajax PRO Desktop application is designed for macOS, Windows 7/8/10. Minimum computer requirements:

CPUIntel / AMD 1.2 GHz
GPU3D accelerator
RAM2 GB
ROM400 MB
Jan 29

Tough European Union Standards Are Set to Impact Cyber Security and Compliance Worldwide

As an early adopter and leader in the development of drive-level encryption technologies, Seagate understands that the most valuable asset in any storage system is the data itself. And while encryption is only a small part of any true security strategy, it can also help with privacy compliance.

Recent high profile mass data breaches, such as Equifax and Yahoo, have brought cyber security issues virtually to the mainstream. The General Data Protection Regulation (GDPR) means tough European Union (EU) standards on security and compliance will also become the norm in the US and worldwide. There is now greater emphasis on accountability, and drive-level encryption technologies are one method by which organizations can demonstrate this.

Changes to the GDPR

The GDPR is the most significant change in the world of data protection in a generation. It updates the law to recognize the significant advancements in technology during the last 20 years, and to address those technologies that will likely emerge in the future. The goal is twofold: 1), balance an individual’s right to protection and 2), allow a data-based economy to thrive without stifling innovation.

Key changes at a glance:

Scope. The GDPR applies to organizations based in the EU and any organization anywhere in the world which offers goods or services or monitors the behavior of people located in the EU. Citizenship or residency status is not pertinent. The GDPR also contains direct obligations on service providers (known as processors) for the first time. Furthermore, the European concept of personal information is broader than the US concept of personally identifiable information (PII), and includes online identifiers such as IP addresses.

Accountability. This is a critical thread running throughout the GDPR. Accountability leads to a number of obligations for organizations in charge of personal information (known as controllers). It will not be sufficient for organizations to simply comply, they must demonstrate their compliance. Organizations will have to keep records, record and justify their decisions, record an individual’s consent, and may have to prove all this to a European regulator.

Security. The GDPR requires that organizations put “appropriate technical and organizational measures” in place to protect personal information. Technical measures include drive-based encryption, passwords, access controls, two factor authentication, etc. Organizational measures include information management policies, and having an information governance structure in place. What defines appropriate depends on the circumstances: the type of data being processed, how sensitive it is, the volume, and the overall risk of data breaches.

Breach notifications. Data breaches are any inadvertent loss or sharing of personal information. This can be due to hacking incidents, loss of an unencrypted hard drive or failing to dispose of old records securely. Controller organizations must report these to the regulator within 72 hours and may have to respond to the affected individuals. Processor organizations have to inform their customer as soon as possible.

Fines. One of the aims of the GDPR is to push data protection/security to a board level issue. As a result, the fines are significantly increased by up to 4% of global annual gross turnover or €20 million, whichever is greater. EU regulators also have significantly broader powers to investigate and put sanctions in place—including ordering an organization to cease processing data.

Pseudonymization. Any form of reversible encryption is known as pseudonymization in the GDPR. It refers to masking the data using some process, and keeping the key required to undo the process separate. Encryption and pseudonymization are greatly encouraged throughout the GDPR as they are considered methods of significantly lowering the risks to individuals.

Principles. The GDPR is principles-based legislation, based on the same basic and relevant data protection principles that have been around since the 1980s. They include: acting within the law; informing individuals how their data will be used; only using data for a specific purpose; collecting the minimum data necessary; not keeping data longer than necessary, etc. Data protection by design and by default. These GDPR concepts state that privacy/security considerations should be baked into all data processing. Organizations should consider protection principles when designing all new products/services. Parameters should be set to collect the minimum amount of personal data necessary.

Individuals’ rights. Under GDPR individuals will have new and expanded rights. These include the right to ask any organization handling their information for a copy of it, to have it corrected if inaccurate, or deleted if no longer necessary.  There are also rights to object to certain processing or have one’s information moved to another organization. These rights are not absolute, so organizations must understand how they should apply.

Data processing agreements. The GDPR contains specific terms that must be in place between controllers (ie customers) and processors (ie vendors). Organizations will need to put these terms, which cover items such as security obligations, in place by May 2018.

Transfers. As with the current law, transfers of personal information outside the EU are prohibited, unless one of a limited number of safeguards are in place. For US organizations the most relevant are the EU/US Privacy Shield, the EU Model Clauses or– for larger organizations – Binding Corporate Rules.

 

Data Security/Encryption as a Compliance Tool

Seagate’s Self-Encrypting Drives (SEDs) encrypt all data as it enters the drive using an encryption key stored securely on the drive itself. The drive is encrypted at rest by default. To retire or repurpose the drive, the drive owner sends a command to the SED to perform an Instant Secure Erase (ISE). The ISE uses the SED’s cryptographic erase capability to change the data encryption key. The data becomes unreadable and cannot be recovered.  Encryption and pseudonymization are encouraged throughout the GDPR and, in fact, are mentioned 20 times in the text. While not specifically required, they are powerful tools and organizations that use them will benefit from lower compliance obligations. In particular, encryption can help in the following areas:

Security. While the GDPR leaves it to organizations to determine what appropriate security is, encryption is one of just four measures that are specifically suggested. When deciding which measures are appropriate, organizations must take into account the state of the art, costs of implementation, the type of processing and the risks to individuals. This is an obligation for both controllers and processors.  Encryption is one simple step organizations can take to lower risk, and is always something that is taken into account by regulators in determining whether to levy a fine, and if so, the amount.

Fines. The GDPR sets out the factors a regulator will take into account in determining the level of a fine to impose on an infringing organization. One factor is the technical and organizational measures that were taken to adhere to Privacy by design/default and Security. Encrypted hard drives, removable drives and laptops are a simple way of demonstrating compliance with these obligations, thereby reducing the amount of any fine.

The regulator will also consider the negligence of the organization. Most regulators would consider encryption of data-at-rest and in transit to be a basic measure, particularly if the data is sensitive. Regulators have little patience for organizations that don’t put such obvious measures in place and so without SEDs an organization increases its risk of a much larger fine under GDPR.

Breach notification. An organization must notify the regulator about a data breach unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where data have been securely encrypted, e.g., after ISE, then the data would be largely useless to any hacker or identity thief. The risk to individuals is lowered and so it may not be necessary to notify the regulator, thus avoiding negative press for the organization. If the organization decides to notify the regulator in any case, it will need to describe measures taken to mitigate the breach, which will include its strong encryption.

The test of whether or not to notify the individuals affected is whether the breach results in a high risk to their rights and freedoms. The GDPR specifically states that such notification is not required where the data has been encrypted.

Principles. The problems of secure data deletion have led some organizations to securely store data rather than delete it. Not only is this expensive and increases the risk of data breaches but it breaches the principle of data minimization. Seagate SEDs allow organizations to repurpose defunct drives, confident that the data has been sanitized.

Further, there is an exception to the principle against using data for a further purpose if certain criteria are fulfilled. One criterion is whether the data has been pseudonymised.

Data protection by design. The GDPR lists pseudonymization as an example of a measure which implements data protection principles in their products/services. Data on Seagate SEDs is always encrypted at rest.

Data processing agreements. The GDPR requires that a controller and processor have terms in place to cover, among other things, security and data deletion. The customer must help to ensure that the vendor has appropriate security measures in place, and the vendor must agree to return or delete the customer’s data at the end of the contract. While the data is not technically deleted, it is sanitized to an extent that it is not feasible for it to be recovered, which will be sufficient for most customer’s needs. Seagate’s data sanitization technology has been recognized as ISO 27001 and NIST compliant.

Individuals’ rights. Individuals have the right to have their data deleted but only when the controller can identify that individual. With ISE, it will be impossible for an organization to link data to a specific individual and means that organization is not obliged to respond to the request, greatly reducing its administrative burden.

 

Conclusion

GDPR readiness is a major project for most organizations, and compliance will be an ongoing process following the May 2018 implementation. Organizations that have not yet considered how they will adapt to the changes list above need to formulate a strategy and take action immediately.

GDPR is broader than just data security. However, putting secure storage and encryption in place is one straightforward technical step organizations can take to, and crucially for the accountability principle, demonstrate they have become compliant. Seagate SEDs can be an important tool in the overall compliance armory.

X